Drammer: Are hardware vulnerabilities the Achilles heel of Android?

10/28/2016
G DATA Blog

Mobile devices, especially smartphones, are a very lucrative target for cyber criminals because they are a fixture of everyday private and working life. Researchers at VUSec Labs, the University of California and Graz University of Technology have succeeded in exploiting a security hole in Android smartphone hardware. The experts have called the attack vector “Deterministic Rowhammer” (Drammer for short).

In the wrong hands, this can be used to develop powerful malware that can take over the entire smartphone, acquiring extensive rights (root access) for unauthorised individuals. Like Rowhammer.js, Drammer shows that theoretical attacks such as Rowhammer have become increasingly easy to carry out in the past two years. It is just a matter of time until cyber criminals exploit these attack paths as well and cause damage for users. 

Current security concepts at the operating system level can only mitigate the potential consequences. The root of the problem lies in today’s CPU and memory architecture.

What is Drammer?

For the first time, Drammer has enabled researchers to demonstrate architecture problems with the memory in Android smartphones. The researchers’ attack app needs no permissions and is capable of acquiring root access to the target device. Experts from VUSec Labs in the Netherlands, the University of California, Santa Barbara and Graz University of Technology have done so by transferring an already-known hardware security hole called Rowhammer to the Android system for the first time.

Rowhammer exploits the fact that the electronic charge of adjacent memory cells has a mutual effect, as these rows of memory cells in a modern memory unit (DRAM) are positioned close together. This enables certain bits within these DRAMs to be changed with no need for direct access to the storage areas in question. This makes it possible to circumvent security precautions. In the case of Drammer, this leads to an attacker being able to fully circumvent the Android permissions system and acquire maximum user rights (“rooting”). 

So far, this possibility had only been known to work on PCs and laptops; with Drammer, the researchers have shown for the first time that this problem also affects Android devices.

Fundamental development is not surprising

Security experts at G DATA have been seeing ever more sophisticated attacks on mobile devices in the last two years. In the past, user interaction was still required when installing an app; with the current malware, this is no longer necessary. G DATA experts describe this change through the use of drive-by infections in the current Mobile Malware Report. With Drammer, attacks on mobile devices will be able to reach a completely new quality and scale in future. The new attack vector underlines the need for hardware and operating system vendors to rethink their security concepts.

Security risk for users

Drammer represents a serious security risk for users. It is not being actively exploited at present, and the scientists’ proof of concept app has been disarmed so it cannot be used as an attack template for criminals. Nevertheless, many Android devices will not receive a timely update against this new threat, or even none at all. As previously with Stagefright, owners of these devices will again need to find help themselves. The current example shows once again that, in the mobile sector especially, the need for up-to-date security concepts is of fundamental importance. While it is possible to purchase the latest top smartphone every year, such advice is neither ethically nor commercially reasonable. Security updates for Android must reach every user, regardless of the device manufacturer. G DATA has already pointed out this problem numerous times.